An update is now available for Red Hat JBoss Enterprise ApplicationPlatform.

Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Javaapplications based on the JBoss Application Server.

This release of Red Hat JBoss Enterprise Application Platform 6.4.19 servesas a replacement for Red Hat JBoss Enterprise Application Platform 6.4.18,and includes bug fixes and enhancements, which are documented in theRelease Notes document linked to in the References.

Security Fix(es):

* It was found that when Artemis and HornetQ are configured with UDPdiscovery and JGroups discovery a huge byte array is created when receivingan unexpected multicast message. This may result in a heap memoryexhaustion, full GC, or OutOfMemoryError. (CVE-2017-12174)

* A vulnerability was discovered in Tomcat where if a servlet context wasconfigured with readonly=false and HTTP PUT requests were allowed, anattacker could upload a JSP file to that context and achieve codeexecution. (CVE-2017-12617)

* A vulnerability was found in the way RemoteMessageChannel, introduced injboss-remoting versions 3.3.10.Final-redhat-1, reads from an empty buffer.An attacker could use this flaw to cause denial of service via high CPUcaused by an infinite loop. (CVE-2018-1041)